In a communication system, a communication terminal can be present in a visited communication network or in its home communication network. Communication between the terminal and the networks typically needs to be secured and there exists several security algorithms for integrity protection, encryption and decryption. Each network may accept or prefer to use some of these security algorithms for integrity protection, encryption and decryption.
This description is generally concerned with a mobile terminal having an association (e.g. subscription) with its own home telecommunication network (Home Public Land Mobile Network, HPLMN), but currently being present in a visited telecommunication network (Visited Public Land Mobile Network, VPLMN), providing network connectivity. As a special case, the HPLMN and the VPLMN may be one and the same network. However, each of the communication terminals referred to in this description can be any type of terminal connected to a visited (or home) communication network, e.g. a wireless or non-wireless phone, a computer connected to a local area network (LAN), etc.
With reference to FIG. 1, a communication terminal 100 is present in a visited telecommunication network, VPLMN 102 and communicates with other terminals and/or application functions in the VPLMN 102 or in its own home telecommunication network HPLMN 106. For secure communication, any conventional security algorithms can be used, such as A5/1, A5/2, A5/3, A5/4, UEA1, UEA2, used in 2G/3G mobile networks etc. The security algorithms have different security properties, i.e. they have different “strengths” in protecting information. A Mobility Management Entity (MME) 104 in the VPLMN 102 comprises information of which security algorithms being supported and accepted by the VPLMN 102 for user Authentication and Key Agreement (AKA). The HPLMN 106 deploys a user database, Home Subscriber Server (HSS) 108, which likewise comprises information of which security algorithms being supported and accepted by the HPLMN 106. A Radio Base Station (RBS) 112 in the VPLMN 102, to which the communication terminal 100 is currently connected, communicates with the communication terminal 100. A security algorithm being supported and accepted by the VPLMN 102 is used for securing the communication.
As mentioned, the security algorithms have different strengths, and at any point in time there is always a risk that an algorithm previously considered secure is found to be more or less flawed. If a security algorithm is found to be unsecure, there are some methods generally available today for preventing the algorithm from being used, which will be briefly described in the sections below.
Upgrade Radio Base Stations
An unsecure security algorithm can be removed and preferably replaced with a different, stronger one. However, the security algorithms are typically implemented by means of hardware and placed in each radio base station, RBS. Removing an unsecure security algorithm from each RBS, where it is stored, is a very time-consuming and expensive procedure.
Special RAND
The signalling information for the authentication communication comprises a RAND value in the AKA protocol. In mobile communication, RAND is a random value, and AKA (Authentication and Key Agreement) is a standardised challenge-response protocol, which are therefore not necessary to describe in more detail here.
The HPLMN (HSS) issues the RAND value, and can use a part of that value to define which security algorithms are deemed acceptable to the HPLMN. For instance, the security algorithm A5/j is deemed acceptable if, and only if, the j:th bit of the RAND value is “1”. This method is referred to as “Special RAND” and was earlier proposed in 3GPP SA3 [Orange and Nokia, “Introducing the special RAND mechanism as a principle for GSM/GPRS”, S3-040529, SA3#34, 6-9 July, Acapulco, Mexico or Orange and Vodafone, “Further development of the Special RAND mechanism”, S3-030588, SA3#30, 7-10 Oct., 2003]. However, using a part of the RAND value to declare which security algorithms are acceptable to the HPLMN decreases the entropy/randomness of the RAND value. Furthermore, with the “special RAND” solution the security algorithm policy will be controlled mainly by the HPLMN, and the operator of the VPLMN will have some difficulty to influence the security algorithm policy.
Key Separation
Separate encryption keys can be used with different algorithms. For instance, an encryption key can be calculated by a function, where an original base key and some identifier for the algorithm are used as input to the function. If, e.g., a so-called “hash” function is applied, the encryption key can be calculated as encryption key=hash(base_key, <algorithm_ID>). This method will assure that different algorithms get distinct keys.
The benefit of this is that if one of the algorithms is broken, and it can be assumed that any key used with that algorithm has been compromised, it is generally not a problem that the same key is used with a different (secure) algorithm. If the same key is used with several algorithms, an attacker might be able to break the insecure algorithm, obtain the key and then provoke the terminal into using the broken key with a secure algorithm.
This is useful practice to prevent a weakness in one algorithm to spread to another algorithm, but it does not prevent that the broken algorithm is used as such. Calculating an additional encryption key also consumes a certain amount of calculation capacity.
Use of Authentication Management Field (AMF)
According to the AKA Protocol, the AUTN (Authentication Token) comprises an Authentication Management Field (AMF), which can be used for conveying information on the selected security algorithm from the HPLMN to the communication terminal. The communication terminal comprises a USIM (UMTS Subscriber Identity Module) and a mobile entity. The use of the AMF is hitherto specified to be an operator proprietarily defined field. Using the AMF for a different purpose can be difficult possibly due to conflicts with any existing use thereof. In addition, by using the AMF only the HPLMN will be capable of controlling the security algorithm policy, since the AMF is integrity protected from the HSS in the HPLMN all the way to the USIM.
Hence, there are certain problems associated with the existing solutions outlined above. First, updating the radio base stations is typically a very time-consuming and expensive procedure.
Another problem is that by using existing signalling messages or parts thereof, as in the “special RAND” or “AMF” solutions, the existing signalling messages will at least partly lose their information capacity, and other use of these messages is also prevented. Using, e.g., a part of the RAND message for distribution of a security algorithm policy degrades the entropy or randomness of the RAND value. Additionally, even if the usage of the AMF-field is unspecified in the AKA protocol, other use thereof may still exist. In addition, in environments with nodes and terminals from different releases, backward compatibility issues typically gives rise to serious problems. Therefore, it is preferred not to use the AMF or part of the RAND message for transmitting information regarding the security algorithm to be used, in the communication between nodes or elements in the communication networks.
Yet another problem is that when using the existing solutions, only the HPLMN or the VPLMN is capable of controlling the security algorithm policy. In particular, it is important to note that in the VPLMN, security policies are usually under control of the MME (or similar entity) which can be considered a fully trustworthy entity whereas the actual implementation of the security algorithms is typically the responsibility of another node (e.g. the radio base station) which is usually less trustworthy. From the user/terminal point of view, there is therefore a need to be able to securely verify that the security algorithm chosen (by the base station) is in compliance with both the security policy of the HPLMN (HSS) and VPLMN (MME).